Posted on Wed, Jan 27, 2010 @ 12:49 PM
The failed attack on a U.S. airliner on December 25, 2009 prompted U.S. President Barack Obama to focus on the state of collaboration between U.S. intelligence and security agencies. President Obama stated, "The bottom line is this: the U.S. government had sufficient information to have uncovered this plot and potentially disrupt the Christmas Day attack. But our intelligence community failed to connect those dots, which would have placed the suspect on the no-fly list. In other words, this was not a failure to collect intelligence, it was a failure to integrate and understand the intelligence that we already had."
The President's ire has led to focus on an initiative by the Office of the Director of National Intelligence (ODNI) to create a "common trust environment" for collaboration and sharing of information within the U.S. intelligence community.
In the words of Director J.M. McConnell, "The information sharing strategy is focused on developing a ‘responsibility to provide' culture in which we unlock intelligence data from a fragmented information technology infrastructure spanning multiple intelligence agencies and make it readily discoverable and accessible from the earliest point at which an analyst can add value. "
"This new information sharing model will rely on attribute-based access and tagged data with security built-in to create a trusted environment for collaboration among intelligence professionals to share their expertise and knowledge."
Shift to role and policy-based network security
The foundation of this initiative is a shift from traditional firewall and identity-based security to role-based policy management of the network. Policy-based security can, on the fly, adjust security measures to allow the right users - to have the right access - to the right information - from the right place - at the right time.
We find policy-based security controls in Network Access Control solutions and flow-based network switches which give security managers granular control of the network. You can manage who has access to specific databases, at what time of day, from which location, from what department, what functional (role) responsibility and even from what type of device.
In a dynamic environment such as that found in government intelligence agencies, it is policy-based security that will enable true collaboration amongst disparate parties dealing with sensitive information.
Now intelligence analysts will be better able to "connect the dots" and go beyond the boundaries of traditional culture that led to silos that inhibited information sharing. These organizations had established their own security classification rules and procedures, resulting in inconsistent use and understanding of security markings.
ODNI's goals statement summarizes this concept:
- Define a uniform identity structure and uniform attributes to enable identity management, develop uniform standards and guidance for identity management, and support decentralized, agency-specific implementation
- Establish identity management standards for authentication, authorization, auditing, and cross-domain services
- Develop information security policies to support logical and physical data protection efforts
- Create a common classification guide for the Intelligence Community
- Establish a risk management approach that supports the common trust and information environment while still protecting sources and methods as well as sensitive information from disclosure
Organizations struggling with collaboration and the free flow of information across geographic boundaries, multiple trading partners and distributed business units may find an answer in role and policy-based network access solutions. If it works for the CIA, FBI and DHS it may just work for you.
Posted on Mon, Jan 25, 2010 @ 02:15 PM
Over 234 million consumer credit card records with sensitive information have been breached since January 2005, according to Privacy Rights Clearinghouse.org. The seriousness of this problem begs us to examine the gap between meeting industry compliance requirements and the securing of confidential data.
A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk: 81% store payment card numbers; 73% store payment card expiration dates; 71% store payment card verification codes; 57% store customer data from the payment card magnetic stripe; 16% store other personal data. Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
As a result of this behavior by merchants, vulnerabilities were created in the card-processing ecosystem. Information security breaches occurred in point-of-sale devices; personal computers or servers; wireless hotspots, ecommerce applications; paper-based storage systems; and unsecured transmission of cardholder data to service providers.
To combat this trend, a PCI Data Security Standard (DSS) was created by the PCI Security Council whose founding members include: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. To any security manager, these standards are very familiar as they mirror corporate best practices for network security. Here are the 12 requirements for PCI DSS.
Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. Change your passwords often.
Requirement 3: Protect stored cardholder data. Anything stored should be encrypted and cardholder data should not be retained or if retained then only for a limited time period.
Requirement 4: Encrypt transmission of cardholder data across open, public networks. Use strong cryptography and security protocols such as SSL/TLS or IPSEC.
Requirement 5: Use and regularly update anti-virus software or programs. Many vulnerabilities and malicious viruses enter the network via employees' e-mail and other online activities.
Requirement 6: Develop and maintain secure systems and applications. Security vulnerabilities in systems and applications may allow criminals to access cardholder account numbers and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches.
Requirement 7: Restrict access to cardholder data by business need-to-know. To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need-to-know and according to job responsibilities. Role-based authentication is helpful here.
Requirement 8: Assign a unique ID to each person with computer access. Assigning a unique identification (ID) to each person with access ensures that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users.
Requirement 9: Restrict physical access to cardholder data. Any physical access to data or systems that house cardholder data provides the opportunity for persons to access and/or remove devices, data, systems or hardcopies, and should be appropriately restricted.
Requirement 10: Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management.
Requirement 11: Regularly test security systems and processes. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time.
Requirement 12: Maintain a policy that addresses information security for employees and contractors. A strong security policy sets the tone for security affecting an organization's entire company, and it informs employees of their expected duties related to security.
Posted on Wed, Jan 20, 2010 @ 01:02 PM
Professor Howard A. Schmidt, White House CyberSecurity Advisor and CEO of Information Security Forum, was speaking recently on the emerging threats created by the global economic upheaval. As businesses of all size expand, via the Internet, to engage with sales, production and distribution partners around the world, new threats become imminent.
Political - Espionage, previously things of the Cold War and Hollywood entertainment have become a reality due to the ability of almost anyone to use the Internet to unearth and piece together confidential information on individuals, governments and corporations. What is illegal behavior in the U.S. may not be illegal in the other countries your business operates in.
Legal - Theft and misuse of other company's intellectual property and brand names is commonplace and laws differ across each border. Identity theft we hear about regularly on the news. Electronic evidence can now be retrieved from all sorts of communication devices and protocols between employees and the world. What you say, where you say it and how you say it must now be monitored.
Economic - Organized crime has evolved from the days of extorting storekeepers for "protection" to well-planned thefts of credit card information and kidnapping of customer hard drives via the Web. Emerging nations are using technology as a way to help their struggling economies but in the midst of that growth, criminals exploit the rudimentary architectures and security vulnerabilities.
Socio-cultural - High unemployment has exacerbated the increase of disgruntled employees and thus creates an environment for increased employee data theft, fraud, embezzlement, corruption and risk.
Web enablement of society - As more and more devices that are part of daily life become web-enabled the possibility of security incidents that have life threatening impact becomes real. An example is IP-enabled pacemakers. These devices contain a radio transmitter which connects wirelessly to receiving equipment to report on the condition of the patient's heart. Any problems are instantly reported to the doctor, and regular checkups can be done by remotely interrogating the home-based equipment. Imagine the impact on a person's life if the network were to be compromised.
5 steps to reduce global risk
The things you can do to reduce risk in this global economy, according to Professor Schmidt, include:
- 1. Get the basics right - Identify critical and sensitive information that requires special handling and secure management. Continually re-assess your risks, identify and deploy security controls and re-examine your security function activities.
- 2. Throw out assumptions - Look beyond historical data that might say "we've never had a security breach" because complacency is the point where your risk grows greatest. Question your long-held beliefs about security and about the nature of threats from employees and business partners.
- 3. Plan for uncertainty - Prepare for a whole new world where wireless communication is the norm. And where cyber criminals lurk in the alleys off each transmission. Develop and rehearse responses in the event of a security incident, much like disaster recovery drills.
- 4. Become a risk champion - Adapt to changes in your organization's risks. If previous security plans were based on old technologies that have since been updated, then update your security strategy and plans as well.
Build for the future - Maintain your capabilities to respond to incidents; collaborate with others and have an end-to-end strategy.
Posted on Mon, Jan 11, 2010 @ 02:22 PM
A recent Newsweek article discussed the state of website passwords and asked the question "how do you build a better password?" What we learned is that the majority of accepted password methods, used on various websites, add a lot of complexity but not more security.
Computer researchers at Carnegie Mellon University are finding that many of the recent security advances in the banking, e-mail, and other critical systems you log into every day are adding more burdens to users but can still be hacked.
For example, mnemonic passwords which are created when one thinks of a phrase, and combines the first letter of each word are quite common. The article gives this example; "The famous Ghostbusters line "Dogs and cats, living together!" becomes, with a few substitutions, "D&c,lt." However, most people use common well-known phrases to create mnemonic passwords. As a result, scientists in a crude test were able to crack four percent of mnemonic passwords, suggesting that motivated hackers could do even better.
The other way most people create passwords is to rely on a single password and use simple variants for most websites. The problem with this approach is if that password is cracked at just one site, a savvy hacker can break into your personal information stored at other sites.
To discourage the latter from happening experts will tell you to create unique passwords for each website. And if you forget a password, no problem, just enter the right answer to one of several "security questions" that only you know. But a May 2009 study from Microsoft Research and Carnegie Mellon pulled the rug from under that approach by finding that subjects could guess their acquaintances' AOL and Yahoo challenges more than a quarter of the time. And, according to the study, one in five subjects forgot the answers to their own security questions in six months!
Instead of a mnemonic password, research suggests that users are better off constructing passwords out of a phrase itself-a passphrase. Newsweek gives this example; "a short but hard-to-remember string like "J4fS<2" can be broken by what is called a brute-force attack (in which a computer attempts "a," then "ab," then "abc," and so on) in 219 years, while a long but easy-to-remember phrase like "du-bi-du-bi-dub" will stand for 531,855,448,467 years. "
The main point here is a simpler approach to creating a password can be stronger than the accepted wisdom of combining letters, numbers and symbols. So break out those old Sinatra songs, "do be do be doo... strangers in the night..." there could be some great passwords in them.
Posted on Wed, Jan 06, 2010 @ 01:05 PM
Several years ago software that monitored employee use of the Internet was big news. We heard how thousands of workers, on company time, visited pornographic sites, downloaded music and videos or just spent inordinate amounts of time surfing the web.
Sexual harassment cases and lawsuits came up when folks saw offensive materials on their co-workers computers. Bandwidth charges were going up and network performance going down. In addition, there were statistics that said over 87% of hacking and confidential data losses were from company insiders. Workers just couldn't be trusted.
The question is: "Has the situation evolved?" While there are more restrictions, guidelines and penalties for inappropriate use of company assets and handling of confidential materials, has employee behavior changed? And therefore, do we still need surveillance software for our employees? The answers are no and yes, respectively. Behavior hasn't changed and yes we still need monitoring software.
Recent surveys indicate a majority of employers monitor their employees. They are motivated by concern over litigation and the increasing role that electronic evidence plays in lawsuits and government agency investigations.
Internet monitoring software has now evolved into larger security and surveillance suites. You can monitor and trace employees' use of e-mails, the Internet, computer files, keystrokes, chats in all popular instant messengers, logins and logouts as well as "shadow copy" which allows network administers to create copies of files that are transferred to USB devices by workers.
Solutions include the following:
Record logging: record everything from key strokes, websites visited, FTP downloads, P2P downloads, and even screen captures of what is on a user's computer
Email Logging: emails sent and received as well as attachments and Instant Messenger discussions can be monitored and recorded
Internet Filters: block ports on your network servers normally accessed by certain Internet protocols, as well as specific websites, bulletin boards, P2P downloads, foreign languages, and content using keyword filters
Anti-spyware/anti-virus: block downloads which are identified as potentially harmful as well as viruses, worms, malware, spam, drive-by downloads and phishing attacks
While most transgressions in the workplace are committed by a few, the impact on the organization of a single breach of trust could be great. Therefore we continue to monitor, safeguarding the halls of our institutions.